Sendmail

sendmail - 伺服器發送垃圾郵件?

  • September 10, 2013

在過去的一天,我的伺服器被用來發送垃圾郵件。我正在使用 Amazon Linux Distro(基於 RedHat)。它有 sendmail 8.14.4。它設置為需要身份驗證、SSL 等。以下是日誌和 mqueue 的一些摘錄。我怎樣才能找到正在發生的事情並解決它?

Sep 10 21:57:03 ps-aws-p1 sendmail[11662]: r8AJtH4r011662: from=<sepoh@project-syndicate.org>, size=464, class=0, nrcpts=10, msgid=<201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org>, proto=ESMTP, daemon=TLSMTA, relay=dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may be forged)
Sep 10 21:57:12 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<curlieq123@aol.com>, delay=00:00:18, xdelay=00:00:09, mailer=esmtp, pri=390464, relay=mailin-01.mx.aol.com. [205.188.159.42], dsn=5.1.1, stat=User unknown
Sep 10 21:57:19 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<debbie381@earthlink.net>, delay=00:00:25, xdelay=00:00:03, mailer=esmtp, pri=390464, relay=mx1.earthlink.net. [209.86.93.226], dsn=2.0.0, stat=Sent (1vju3P5qX3Nl34d0 Message accepted for delivery)
Sep 10 21:57:20 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<leocnandez@gmail.com>, delay=00:00:26, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=gmail-smtp-in.l.google.com. [74.125.136.27], dsn=2.0.0, stat=Sent (OK 1378843040 x42si1080567eel.116 - gsmtp)
Sep 10 21:57:21 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<foxxychocolate69@hotmail.com>, delay=00:00:27, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=5.1.1, stat=User unknown
Sep 10 21:57:22 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<neville.jackson@hotmail.com>,<jsepeda92@hotmail.com>, delay=00:00:28, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=2.0.0, stat=Sent ( <201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org> Queued mail for delivery)
Sep 10 21:57:24 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<123@nna.com>, delay=00:00:30, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=zeno.mx25.net. [207.210.234.36], dsn=2.0.0, stat=Sent (893 bytes received in 00:00:00; Message id 201309101457230095 accepted for delivery)
Sep 10 21:57:25 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<zzdarec@seznam.cz>, delay=00:00:31, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx1.seznam.cz. [77.75.76.42], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:26 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<zzdarec@seznam.cz>, delay=00:00:32, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.seznam.cz. [77.75.76.32], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<patmcdyer@yahoo.com>,<vbrianbulfer@yahoo.com>, delay=00:00:34, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mta5.am0.yahoodns.net. [98.138.112.34], dsn=2.0.0, stat=Sent (ok dirdel 1/1)
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: r8AJvS4i011781: DSN: User unknown




> V8 T1378843014 K0 N0 P300464 Fbs
> $_dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged) $rESMTP $saambanyoqp ${daemon_flags}s a
> ${if_addr}10.246.123.145 S<sepoh@project-syndicate.org> rRFC822;
> curlieq123@aol.com RPFD:<curlieq123@aol.com> rRFC822;
> debbie381@earthlink.net RPFD:<debbie381@earthlink.net> rRFC822;
> leocnandez@gmail.com RPFD:<leocnandez@gmail.com> rRFC822;
> jsepeda92@hotmail.com RPFD:<jsepeda92@hotmail.com> rRFC822;
> foxxychocolate69@hotmail.com RPFD:<foxxychocolate69@hotmail.com>
> rRFC822; neville.jackson@hotmail.com
> RPFD:<neville.jackson@hotmail.com> rRFC822; 123@nna.com
> RPFD:<123@nna.com> rRFC822; zzdarec@seznam.cz RPFD:<zzdarec@seznam.cz>
> rRFC822; vbrianbulfer@yahoo.com RPFD:<vbrianbulfer@yahoo.com> rRFC822;
> patmcdyer@yahoo.com RPFD:<patmcdyer@yahoo.com> H?P?Return-Path:
> <<81>g> H??Received: from aambanyoqp
> (dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged))
>         (authenticated bits=0)
>         by ps-aws-p1.project-syndicate.org (8.14.4/8.14.4) with ESMTP id r8AJtH4r011662
>         (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
>         Tue, 10 Sep 2013 21:56:54 +0200 H?M?Message-Id: <201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org>
> H??Subject: H??From: "Wri Jm" <sepoh@project-syndicate.org> H??To:
> <vbrianbulfer@yahoo.com>, <jsepeda92@hotmail.com>,
>         <debbie381@earthlink.net>, <curlieq123@aol.com>,
>         <foxxychocolate69@hotmail.com>, <leocnandez@gmail.com>, <123@nna.com>,
>         <zzdarec@seznam.cz>, <neville.jackson@hotmail.com>,
>         <patmcdyer@yahoo.com> H??Date: Tue, 10 Sep 2013 20:47:12 -0700 H??Mime-Version: 1.0 H??Content-Type: text/plain; charset="utf-7"

很可能 smtp 密碼已被洩露。

使用您的 sendmail 日誌 SMTP AUTH 憑據 - 將 LogLevel 增加到 10。所需的 sendmail.mc 行:

define(`confLOG_LEVEL', `10')dnl

sendmail.mc 需要重新編譯成 sendmail.cf。Sendmail 守護程序需要重新啟動(或發送 HUP 信號)才能“查看”新版本的 sendmail.cf。

在 sendmail 中記錄身份驗證資訊

引用自:https://serverfault.com/questions/537898